The ability to control access and/or distribution of digital data is one of the greatest unsolved technical problems that must be dealt with in the information age. Digital publishers lose billions of dollars due to copyright fraud. Losses include illegal copying of software, video tapes, video games, and audio cassettes. Such copyright fraud ranges from organized large pirating operations in countries where copyright laws are not strictly enforced to individual purchasers of digital works who make two or three copies for friends.
The current art uses cryptography to enforce copyright laws for digital data. Cryptographic techniques are capable of restricting access to confidential data to those who know the appropriate decryption keys. However without special secure hardware to protect the decryption keys, users cannot reliably be prevented from sharing decryption keys, such as by giving them to friends, posting them to computer bulletin boards, selling them, etc. Worse, once the content has been decrypted, it can be copied and distributed freely.
Many copy protection techniques known in the art are limited to computer programs, relying on physical objects which are difficult to copy (such as dongles or media with irregular formatting). The protected program contains special software that tests if the physical object is present and prevents the program from operating if the test fails. This renders copies unusable, since a copy will not function without the presence of the physical object. An example of a technique to fingerprint magnetic media is taught in U.S. Pat. No. 5,428,683. In such a system, digital information about the individual magnetic disk is stored in the physical object. Copies of the content will be on different physical disks, and the individual information will not match. However, the physical object must store information about every magnetic media to be protected. The publisher of a new media must therefore create a new physical object with the new information. This is expensive for the end user and requires considerable technical knowledge to install and use the physical objects.
A related system is discussed in U.S. Pat. No. 4,858,036. This invention protects digital data on magnetic media from unauthorized duplication by dividing the media into two portions. The first portion contains data that can be detected and altered by the read/write device; the second portion contains data that can be detected but not altered by the read/write device. If the second data are not present on a media, this indicates an illicit copy; the reader/writer is disabled.
These techniques do not prevent copying of the raw binary content, but instead attempt to make unauthorized copies of the data useless. This approach can be effective for software which can regulate its own operation, but it cannot be applied to normal data such as digital video, audio, or images. In particular, software can be configured to contain special logic to check whether or not a copy is legitimate. With normal data this kind of copy protection will not work, since the data itself contains value and generally lacks internal logic to regulate its own playback.
Protection systems for normal data thus aim to prevent use of unauthorized copies of the content. Prior-art copy protection systems encrypt the content with a secret key before it is written. (The processes of “writing” content can take many forms, such as storing content on digital media, sending content for transmission over a computer network content to a user, uploading content for broadcast via a computer network, etc.) Note that in addition to keeping keys secret, some systems in the prior art attempt to make the whole encryption method secret, but this does not make any real difference, since methods for recovering secret keys can also recover algorithms.
The encrypted content is obtained by users, then (under normal operation of the system) is decrypted by players (sometimes called readers) which know the correct decryption key. The decrypted data is then optionally uncompressed or otherwise processed, then is sent to an output device (computer display screen, audio system, television, printer, etc.). An unauthorized player should not have a valid decryption key, preventing successful decryption (and hence playback) of the content. For off-line media playback systems, such as digital tape, CD-ROMs, and digital versatile disks (DVDs), every authorized content player would necessarily have to contain copies of all decryption keys. Hardware mechanisms in the player to try to prevent access to the decrypted plaintext and to prevent copying of ciphertext have been attempted, but are frequently broken.
One example of a microprocessor that can be incorporated into readers and players to enforce this type of copy protection is U.S. Pat. No. 5,034,980. A unique ID number is burned into a microprocessor at the time of manufacture. When copy protection of content (software) designed to operate with the microprocessor is desired, the software is encrypted such that it cannot be decrypted without the unique cryptographic code in the microprocessor. If the software or its copy is executed on an unauthorized processor, the decryption will be unsuccessful. This approach requires that the decryption keys remain secret; if a single microprocessor is compromised, all data sent to that microprocessor can be decrypted. The system is most effective if content can be customized for recipients, but unfortunately this is impractical in most commercial environments.
Encryption-based systems of this general type are nevertheless used widely for applications including encrypted satellite television broadcasts and encrypted CD-ROMs. In U.S. Pat. No. 5,513,260, assigned to MacroVision, Ryan discloses such a copy-protection system. The system uses a combination of symmetric (secret-key) and asymmetric (public-key) data encryption to permit the player to handle either copy-protected or non-copy-protected media. (Both of these types of encryption are well known in the art of cryptography.) An authenticating digital signature is recorded on the media, and the media reader prevents the signature from being transferred to illicit copies. The absence of this signature on copy-protected disks causes the player to generate false data which prohibits the disk from playing normally. Therefore, while this system does nothing to prevent copying, the media reader attempts to regulate the use of copies by searching for the digital signature. While the digital signature mechanism can regulate issuance of new content, the system obviously cannot prevent exact copies of the content media from being produced and used by a reader that does not recognize the digital signature. As with the approach in U.S. Pat. No. 5,034,980, compromise of a player's decryption keys enables attackers to decrypt all content it can play.
Digital watermark technologies strive for the detection of illegal copies, rather than their prevention. Unique identifying information is added to each version of the work produces. Each copy made retains the identifying information added at the time of manufacture, allowing the publisher to identify the source of any illegal copies. Digimark Corporation provides such a system with its digital signature technology—allowing a digital signature to be invisibly embedded directly onto photographs, video, computer images, audio, and other forms of creative property. Attempts to remove the digital signature from an image will result in a noticeable degradation in image quality well before the mark is lost, thereby rendering the image useless. Such systems are effective in deterring commercial copyright fraud in which illegal copies are sold to the public, since the watermark data will help identify the original purchaser of the copyrighted work. Casual copying between friends, however, is not deterred since the publisher has no way to know that the copying is occurring. Digital watermarks have the additional disadvantage of working only with specific data types. Skilled attackers who discover the watermark verification process can also remove watermarks without degradation of the underlying information.
To summarize, a major problem common to encryption-based systems is the vulnerability of the keys. Compromise of the key results in system failure. For media players in particular, once attackers reverse-engineer a single player they gain access to the decryption keys for all content playable by that unit. This is a major concern, since attackers using sophisticated reverse-engineering techniques have compromised a wide variety of existing systems, resulting in substantial fraud. In most typical consumer environments, all players must be able to play all content, so compromise of any player yields keys for all content. Other attacks are also possible against these systems. For example, attackers can capture and copy data after it has been decrypted by an authorized decoder and write it to new media. Also, if a single ciphertext stream is playable by a large number of players, attackers can simply duplicate the ciphertext and play it on other units.
The encryption-based approaches thus suffer from many problems:
1. Global secrets must be very heavily protected. In general, security is completely lost if the secrets in even a single player are ever compromised.
2. Some countries strictly regulate the import, export, or use of cryptography. Hardware systems are typically much more tightly restricted than software systems, which may make approaches involving tamper resistant decryption hardware particularly difficult to manufacture, distribute, sell, and use. Some governments may require copies of all decryption keys used, introducing complex logistical requirements as well as additional security risks.
3. Someone who can read the encrypted ciphertext from a storage medium can write an identical disk without needing or knowing the decryption keys. Copies made in this manner can be decrypted and used by any authorized player.
4. Complete specifications for the data decoding process cannot be made public, since decryption keys must be kept secret.
5. Software-based cryptographic decoders cannot be produced, since they can be easily reverse-engineered, revealing the decryption keys. There have been attempts to produce tamper-resistant software systems, but no known techniques are immune to reverse-engineering or can function within the limited memory and processing resources available to typical media playback device drivers.
6. Because software programs will not have access to the decryption keys, software developers will be unable to develop applications to play protected content. Software developers may even be motivated to try to crack the system in order to find the decryption keys required to produce software decoders.
7. The system must prevent access to decrypted plaintext, since otherwise attackers could copy the plaintext data. Consequently such steps as decompression and/or digital-analog conversion must generally occur inside the decryption unit, which in most cases will be outside of the output device (television set, audio speaker, etc.) For digital output devices (such as digital television sets), this will add an unnecessary extra Digital-Analog-Digital conversion which can degrade the signal quality.
8. The protection mechanism is the same for all content and cannot be improved without losing compatibility with existing players.
9. Once someone reverse-engineers a player or otherwise obtains the decryption keys, the whole security model will collapse since attackers can now read, decrypt, and rewrite content with minimal effort. After the initial attack, subsequent attacks thus require very little cost or effort. Historically, security systems relying on global secrets tend to be compromised quickly and are often victims of widespread fraud.
There is no perfect solution to the copy protection problem, since attackers with unlimited resources can always find ways to obtain or recreate the content and distribute it. However, it is possible to significantly increase the cost per successful attack. A successful system attempts to satisfy as many of the following constraints as possible:
1. The system should not be affected by laws and other restrictions on encryption technology.
2. Attackers should be prevented from making exact duplicates of encrypted media, or such duplicates should be unusable.
3. The security system specification should be publishable without destroying the security model.
4. The system should allow for software player implementations, since content playback on standard computers is required for many applications.
5. The system should have no secret encryption keys that can be compromised by reverse-engineering or industrial espionage.
6. Legitimate participants in the system should have no incentive to compromise the security model.
7. Users should have access to raw digital content for playback on digital output devices.
8. There should be minimum system-wide damage resulting from a successful attack or security breach. In particular, no single compromise should destroy the security model.
9. The system should maximize the cost per successful attack.
10. Anyone, including untrusted parties, should be able to issue protected and unprotected content.
Accordingly, it is an object of the invention to design a digital-data protection system which does not require encryption of content, thereby avoiding restrictions governing the manufacture, distribution, sale, or use of encryption technology.
Another object of the invention is to prevent attackers from producing duplicate copies of protected digital content.
Another object of the invention is to allow publication of all specifications for the content reader and, optionally, all specifications for the entire security system.
Another object of the invention is to allow the production and use of software readers without jeopardizing the security of the system.
Another object of the invention is to avoid interfering with legitimate use in order to avoid making otherwise honest participants want to break the security model.
Another object of the invention is to allow users access to the raw digital output, thereby preventing unnecessary Digital-Analog and Analog-Digital conversions.
Another object of the invention is to minimize system-wide security consequences if someone reverse-engineers portions of the system or creates a successful attack.
Another object of the system is to provide a significant barriet to copying, even if all aspects of the security system design are known to an attacker.
Another object of the invention is to support “copy-once” data which may be recorded once by consumers, but cannot later be recopied. Additionally, it is an object to allow the use of more sophisticated protection mechanisms in conjunction with this invention, including “copy-once” data and to control activation of other protection techniques.
Another object of the invention is to be compatible with other copy protection techniques (such as a traditional encryption-based systems) such that both techniques can be used simultaneously to obtain the security advantages of both.
Another object of the invention is to support all kinds of digital data.
Another object of the invention is to provide a protection mechanism which can be implemented and enforced very inexpensively and efficiently in hardware or software.
Another object of this invention is to protect digital data downloaded from computer networks from being retransmitted or copied onto magnetic disks, CD-ROMs, DVDs, or magnetic tapes.
Another object of this invention is to protect digital data on all formats of different media: magnetic disks, CD-ROMs, Digital Versatile Disks (DVDs), magnetic tapes, etc.
Another object of this invention is to work with any digital storage system, including those not yet invented. If implemented in a variety of different systems, it can provide protection with new digital technologies and also prevent cross-media digital copying.
Another object of the invention is to allow anyone to create new protected or unprotected content.
Another object of this invention is to provide a mechanism by which control information can be embedded into data streams.
Another object of the invention is to provide an asymmetric data marking technique for which creation of marked data is generally easier than removal of the marks, even if the mark detection system is known to attackers.
These and other objects of the invention will be apparent to those skilled in the art from the following detailed description of the invention, the accompanying drawings and the appended claims.